Authentication
Windows Authentication Options
When connecting to a Windows host, there are several different options that can be used when authenticating with an account.
| Option | Local Accounts | Active Directory Accounts | Credential Delegation | HTTP Encryption |
|---|---|---|---|---|
| Basic | Yes | No | No | No |
| Certificate | Yes | No | No | No |
| Kerberos | No | Yes | Yes | Yes |
| NTLM | Yes | Yes | No | Yes |
| CredSSP | Yes | Yes | Yes | Yes |
Microsoft drops MSCHAPV2
enabling Credentials guard in Windows 11 blocks the "Use my Windows account" checkbox.
we need to move from PEAP-MSCHAPv2 to EAP-TLS till it completely deprecated
| WPA2 & WPA3 protocols | Encrytpion | Directory support | Credentials |
|---|---|---|---|
| EAP-TLS | public key | Universal | Passwordless |
| PEAP-MSCPAHv2 | MD4 | Active DIrectory | Passwords |
| EAP-TTLS/PAP | no encryption | Non-AD LDAP server | Passwords |
Credentials: Passwordless - means you can not check "Use my Windows user account" on password prompt (it is grayed out).
SMTP AUTH
SMTP stands for Simple Mail Transfer Protocol, which is a protocol for sending emails. The AUTH command in SMTP initiates an authentication process between the server and the client. The communication's security depends on the specific authentication mechanism that is used. SMTP authentication is essential for email security as it ensures the client is authorized to access the mail submission protocol.
AUTH PLAIN and AUTH LOGIN are two different SMTP authentication mechanisms.
AUTH PLAIN: In the PLAIN method, the client sends the username and password as plaintext (i.e., not encrypted) to the server for authentication. Although the data is base64-encoded to obfuscate it somewhat, this does not provide any meaningful level of security. HenceAUTH PLAINis typically used over a secure SSL/TLS connection, which encrypts the data and keeps the credentials safe from eavesdroppers.AUTH PLAINgenerally requires fewer steps because the credentials are sent in a single command.AUTH LOGIN: LOGIN is another method, similar to PLAIN, where the client sends the username and password as plaintext. However, in this case, the username and password are sent separately: first the username is sent which is then followed by the password, both base64-encoded. This method also doesn't provide much security in itself and should be used over SSL/TLS. But it is older and more likely to be supported in all mail clients though it involves slightly more overhead because the credentials are sent in two stages.
So in summary, the key difference between AUTH PLAIN and AUTH LOGIN is that with AUTH PLAIN both the username and password are sent together in a single base64-encoded string, while with AUTH LOGIN the username and password are sent separately in a sequence of two commands, also base64-encoded. Both methods are considered insecure in themselves and should be used over a secure connection.
SMTP addresses
FromAddress - a publicly visible "from" address in the mail app. This address is typically set by the mail client when the email is composed.Reply-To- The emails address used by the mail app as a destination address when replying to the mail, typically similar to the From Address, but can be modified, especially by an Email Service Provider (ESP). It instructs the mail client to use this address when the recipient hits the reply button, instead of the "From:" address. When a user clicks the reply button in their email client, the client will use the "Reply-To:" address if it is present. If there’s no "Reply-To:" address, the client will default to responding to the "From:" address. Therefore, if the "From:" and "Reply-To:" headers are different, the mail client should prioritize the "Reply-To:" address for the reply.Return-Path- technical report, which will be used to deliver NDRs (non-delivery / bounce notifications). Set during the SMTP conversation before the email content is sent. It’s specified by the Return-Path header in an email.
If sender, from, and env-from are different
-
If
sender,from, andenv-fromare different, the message's routing is influenced by theenv-frombecause it's the address used in the SMTP transaction for bounces. Thefromaddress is shown to the recipient as the sender of the message. If there's asenderheader, it might be displayed by email clients to show that someone else submitted the message on behalf of thefromaddress. -
If
to,reply-to, andenv-todiffer, theenv-toaddress is used for the actual delivery route of the email message by the receiving MTA. Thetoaddress is displayed to the recipient, while thereply-toaddress, if present, dictates where a reply will be sent when the recipient clicks "Reply" in their email client.